By using AWS re:Post, you agree to the Terms of Use

Questions tagged with S3 Select

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 IAM error while "put" ing logs from ALB to S3 bucket

**s3.tf** ``` resource "aws_iam_role" "iam_role_replication" { name = "tf-iam-role-replication-12345" assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "s3.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } POLICY } resource "aws_iam_policy" "iam_policy_replication" { name = "tf-iam-role-policy-replication-12345" policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "${aws_s3_bucket.s3_bucket_master.arn}" ] }, { "Action": [ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging" ], "Effect": "Allow", "Resource": [ "${aws_s3_bucket.s3_bucket_master.arn}/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags" ], "Effect": "Allow", "Resource": "${aws_s3_bucket.s3_bucket_slave.arn}/*" } ] } POLICY } resource "aws_iam_role_policy_attachment" "replication" { role = aws_iam_role.iam_role_replication.name policy_arn = aws_iam_policy.iam_policy_replication.arn } resource "aws_s3_bucket" "s3_bucket_slave" { bucket_prefix = "s3-bucket-slave-" } resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_slave_sse_config" { bucket = aws_s3_bucket.s3_bucket_slave.bucket rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.s3_kms_key.arn sse_algorithm = "aws:kms" } } } resource "aws_s3_bucket_versioning" "s3_bucket_slave_versioning" { bucket = aws_s3_bucket.s3_bucket_slave.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket" "s3_bucket_master" { bucket_prefix = "s3-bucket-master-" } resource "aws_s3_bucket_policy" "s3_bucket_master_alb_put_policy" { bucket = aws_s3_bucket.s3_bucket_master.id policy = <<POLICY { "Id": "Policy", "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "${aws_s3_bucket.s3_bucket_master.arn}/access-logs-bucket/*", "Principal": { "AWS": [ "${data.aws_elb_service_account.main.arn}" ] } } ] } POLICY } resource "aws_s3_bucket_server_side_encryption_configuration" "s3_bucket_master_sse_config" { bucket = aws_s3_bucket.s3_bucket_master.bucket rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.s3_kms_key.arn sse_algorithm = "aws:kms" } } } resource "aws_s3_bucket_versioning" "s3_bucket_master_versioning" { bucket = aws_s3_bucket.s3_bucket_master.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_replication_configuration" "s3_bucket_master_replication" { # Must have bucket versioning enabled first depends_on = [aws_s3_bucket_versioning.s3_bucket_master_versioning] role = aws_iam_role.iam_role_replication.arn bucket = aws_s3_bucket.s3_bucket_master.id rule { id = "foobar" delete_marker_replication { status = "Disabled" } filter { prefix = "foo" } status = "Enabled" destination { bucket = aws_s3_bucket.s3_bucket_slave.arn storage_class = "STANDARD" } } } resource "aws_s3_bucket_acl" "s3_bucket_master_acl" { bucket = aws_s3_bucket.s3_bucket_master.id acl = "private" } resource "aws_s3_bucket_acl" "s3_bucket_slave_acl" { bucket = aws_s3_bucket.s3_bucket_slave.id acl = "log-delivery-write" } resource "aws_s3_bucket_public_access_block" "s3_bucket_master_public_access" { bucket = aws_s3_bucket.s3_bucket_master.id restrict_public_buckets = true block_public_acls = true block_public_policy = true ignore_public_acls = true } resource "aws_s3_bucket_public_access_block" "s3_bucket_slave_public_access" { bucket = aws_s3_bucket.s3_bucket_slave.id restrict_public_buckets = true block_public_acls = true block_public_policy = true ignore_public_acls = true } resource "aws_s3_bucket_logging" "example" { bucket = aws_s3_bucket.s3_bucket_master.id target_bucket = aws_s3_bucket.s3_bucket_slave.id target_prefix = "log/" } ``` **alb.tf** ``` #################################################### # Target Group Creation #################################################### resource "aws_lb_target_group" "lb_tg" { name = "alb-target-group" port = 80 target_type = "instance" protocol = "HTTP" vpc_id = aws_vpc.vpc.id } #################################################### # Target Group Attachment with Instance #################################################### resource "aws_alb_target_group_attachment" "tg_attachment" { count = length(aws_instance.instance.*.id) == 3 ? 3 : 0 target_group_arn = aws_lb_target_group.lb_tg.arn target_id = element(aws_instance.instance.*.id, count.index) } #################################################### # Application Load balancer #################################################### resource "aws_lb" "lb" { name = "alb" internal = true load_balancer_type = "application" security_groups = [aws_security_group.sg.id, ] subnets = aws_subnet.public_subnet.*.id drop_invalid_header_fields = true access_logs { bucket = aws_s3_bucket.s3_bucket_master.bucket prefix = "access-logs-bucket" enabled = true } enable_deletion_protection = true } #################################################### # Listner #################################################### resource "aws_lb_listener" "front_end" { load_balancer_arn = aws_lb.lb.arn port = "80" protocol = "HTTP" default_action { type = "redirect" redirect { port = "443" protocol = "HTTPS" status_code = "HTTP_301" } } } #################################################### # Listener Rule #################################################### resource "aws_lb_listener_rule" "static" { listener_arn = aws_lb_listener.front_end.arn priority = 100 action { type = "forward" target_group_arn = aws_lb_target_group.lb_tg.arn } condition { path_pattern { values = ["/var/www/html/index.html"] } } } ``` **data.tf** ``` # Get user data "aws_caller_identity" "current" {} # Get Account data "aws_elb_service_account" "main" {} ``` Unfortunately, I am getting errors like the below: ``` ╷ │ Error: failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: s3-bucket-master-20220713230235453200000002. Please check S3bucket permission │ status code: 400, request id: 17cb8a1b-d914-4fe5-b6cd-5db02f335cc4 │ │ with aws_lb.lb, │ on alb.tf line 27, in resource "aws_lb" "lb": │ 27: resource "aws_lb" "lb" { │ ╵ ``` I followed the article from https://stackoverflow.com/questions/43366038/terraform-elb-s3-permissions-issue I am struggling to understand what exactly the issue is and I am kind of blocked. Any help would be much appreciated.
1
answers
0
votes
62
views
asked 2 months ago